Delays in Patient Notification By Augusta University Medical Center Unexplained

A phishing attack on Augusta University Medical Center resulted in the unauthorized access of an individual to two employees’ email accounts. It is not clear when the hospital discovered the phishing attack, but the breach investigation came to a conclusion on July 18, 2017. It was confirmed that email accounts of the employees was accessed from April 20 to 21, 2017.

Access to the email accounts was stopped by resetting the passwords immediately after discovering the breach, . There was no confirmation whether the attackers accessed or copied any information in the accounts.

The patients affected by the breach were notified 5 months after the occurrence of the breach. The patients were informed that their sensitive information were contained in the compromised email accounts. The patients’ names, birth dates, addresses, driver’s license numbers, financial account details, Social Security numbers, prescription medication information, diagnoses, treatment details and medical record numbers were exposed but the amount of details vary for every patient.

It is not known yet the exact number of patients impacted by the breach, but AU Medical Center’s spokesperson claimed that fewer than 1% of the hospital’s patients were affected. All patients whose Social Security numbers were exposed were offered free credit monitoring and identity theft protection services.

Augusta University has experienced a phishing attack before – between September 7 and 9, 2016. That incident led to a breach of data because some employees reacted to phishing emails sent to them and got their email account credentials. The breach was promptly identified but all AU employees had to reset all their passwords because of the risk that could result from the phishing attack. The breach investigation was finished only on March 29, 2017. Breach notifications were sent to affected individuals within 60 days after the completion of the breach investigation. The HHS’ Office of Civil Rights received the breach report on May 26,2017.

The Health Insurance Portability and Accountability Act’s Breach Notification Rule requires HIPAA-covered entities to issue notification letters to patients and OCR up to 60 days from discovering a breach. Even with the 60-day allowance to report data breaches, notification must be issued ‘without unreasonable delay’. Failure to comply with the notification requirement may result in penalty.

This latest breach at Augusta University was also announced late – five months from the time the email accounts were compromised. The first phishing attack took 6 months to investigate and report. Patients were notified 8 months after the breach. It’s not known why the investigations took such a long time causing the delay of issuing notification. The phishing attack is still being investigated as reflected on OCR’s breach portal. The latest attack is not yet posted on the site.